Elastic Security, powered by one of the biggest engineering groups inside Elastic today, is operationalizing the speed, scale, and relevance of the Elastic Stack for security use cases. Get an inside look into how Elastic Security works under the hood so you can learn how to make the most of the Elastic Stack for security. We’ll cover the main technical decisions for the detection engine, our endpoint protection, Fleet, data ingestion, and more.
2. 2
This presentation and the accompanying oral presentation contain forward-looking statements, including statements
concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future
operations and expected performance. These forward-looking statements are subject to the safe harbor provisions
under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently
available information regarding these matters may not materialize. Actual outcomes and results may differ materially
from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in
circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business
and our customers and partners; our ability to continue to deliver and improve our offerings and successfully
develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and
purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings;
our ability to realize value from investments in the business, including R&D investments; our ability to maintain and
expand our user and customer base; our international expansion strategy; our ability to successfully execute our
go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer
retention and expansion; and general market, political, economic and business conditions.
Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in
our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for
the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any
subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s
website at ir.elastic.co and the SEC’s website at www.sec.gov.
Any features or functions of services or products referenced in this presentation, or in any presentations, press
releases or public statements, which are not currently available or not currently available as a general availability
release, may not be delivered on time or at all. The development, release, and timing of any features or functionality
described for our products remains at our sole discretion. Customers who purchase our products and services
should make the purchase decisions based upon services and product features and functions that are currently
available.
All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not
currently intend to, update any forward-looking statements or statements relating to features or functions of services
or products, except as required by law.
Forward-Looking Statements
4. 10,000 foot view
As simple as it gets
Collect and normalize
data from hundreds of
integrations
Detections Alerts
Threat hunting
Threat intel
Storage Indexing
Data life-cycle
Agent KibanaElasticsearch
6. Scaling to multiple clusters
Use different clusters for different use-cases or tenants
Elasticsearch Kibana
Elasticsearch Kibana
Elasticsearch Kibana
Cross-ClusterSearch
Using Elastic @
Elastic: InfoSec and
Elastic Security
9. Elasticsearch
Zoom and Enhance: Ingest
Data normalization with ECS
Data normalized as ECS
Agent
The importance of
normalizing your
security data
• Elastic Common Schema (ECS https://github.com/elastic/ecs
• Open source event schema
• Common host, user, source, destination, etc, fields across all
our data sources
10. Elasticsearch
Kibana
Agent
Zoom and Enhance: Fleet
Configuration management for Agents
enroll
config + API token
Data append only
mapping
templates
One agent, one click, and the
future of data ingest with Elastic
13. Zoom and Enhance: Detections
Detection engine rule types
Advanced
correlations for
threat detection
and more
14. Zoom and Enhance: Detections
Alerts (a.k.a Signals)
Detection rule
● wake up every 5m
● run a search
● for each match
.siem-signals-<space-id>-0001
space-id makes Alerts be space
specific for multi-tenancy
Rotated by ILM
alert id rule original
create
alert
alert id rule original
alert id rule original
alert id rule original
15. Zoom and Enhance: Detections
Query rule configuration
time
0 5 10 15
rule executions
interval loopback time
• query time = interval + loopback time
• Deduplication removes duplicates
• Using event.ingested makes this less prone to delayed ingestion
16. alert id rule original
alert id rule original
alert id rule original
alert id rule original
Zoom and Enhance: Detections
Alerts can reference 1, multiple, or zero events
.siem-signals-<space-id>-0001
filebeat-*
event 1
event 2
event 3
event 4
event 5
event 6
17. Elasticsearch
Zoom and Enhance: Detections
Distributed tasks with the Alerting framework
Kibana
Kibana
Kibana
List of tasks to
execute
poll for tasks
poll for tasks
poll for tasks
Any Kibana instance can execute the task.
Kibana
Kibana
Kibana
18. Zoom and Enhance: Detections
Machine Learning Rules
Machine Learning Job
● Runs on the
Elasticsearch side
● Continuously look for
anomalies in time
series
Detection rule
● wake up every 5m
● check for anomalies
● create Alert for
every anomaly
Machine learning
and the Elastic
Stack: Everywhere
you need it
alert id
alert id
alert id
alert id